Date: Sun, 07 Apr 2002 14:09:16 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Jan Grant <Jan.Grant@bristol.ac.uk> Cc: =?iso-8859-1?Q?Pawe=B3?= Jakub Dawidek <nick@garage.freebsd.pl>, freebsd-hackers@freebsd.org Subject: Re: Patch for setgroups(). Message-ID: <3CB0B57C.FA15FA25@mindspring.com> References: <Pine.GSO.4.44.0204071517460.19282-100000@mail.ilrt.bris.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Jan Grant wrote: > On Sun, 7 Apr 2002, [ISO-8859-2] Pawe=B3 Jakub Dawidek wrote: > > What do You think about this patch? > > This can help non-root applications like apache etc. > > For example when I got access to many files from many groups when att= acker > > will exploit this application he got access to all files, coz there i= s no > > way to setgroups() if I am non-root and maybe only demon needs access= to all > > files - child needs only access to files owned by one group. > = > This breaks the (rare) case of using group membership for negative > access control. Specifically "exclusion groups", e.g.: # don't let bob use "ls"... cat >> /etc/group nols:*:200:bob chgrp nols /bin/ls chmod g=3D /bin/ls This works because permissions are checked in owner/group/world order, and because you cannot drop group membership, if you are not the owner (root), then membership in the group "nols" denies you access to the file, even though world access otherwise remains. There are also programs that explicitly deny access based on group membership, by internally asking to see what groups you are in, and denying access on that basis. This is how a number of "games wrappers" and similar programs function. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CB0B57C.FA15FA25>